A health trust did not take adequate steps to prevent the loss of a memory stick with data on 6,360 prisoners and ex-prisoners, a report has said.
The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December.
A report found that human error was to blame, but that procedures on data security had not been adhered to.
NHS Central Lancashire said it had taken action and reminded staff of their responsibilities.
The data lost was encrypted but the password had been written on a note which was attached when it was misplaced. The USB stick has not been found.
Read more on BBC